CVE-2026-28364

CVSS v3.1

7.9

High

Vector

AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions OCaml versions prior to 4.14.3 and 5.x versions prior to 5.4.1

Description A flaw exists in OCaml's Marshal deserialization process (within runtime/intern.c) that could allow for remote code execution. This issue stems from a missing bounds check in the readblock() function, which allows unbounded memcpy() operations using lengths controlled by an attacker from crafted Marshal data. The Marshal.from channel, Marshal.from bytes, Marshal.from string, Stdlib.input value, and Pervasives.input value functions are affected when processing data from untrusted sources. The vulnerability can be triggered by corrupted or malicious marshaled data that causes undefined behavior in the runtime system when unmarshaled.

Recommendations Upgrade to OCaml version 4.14.3 or later. Upgrade to OCaml version 5.4.1 or later.

Fix

RCE

Buffer Over-read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-126

Related Identifiers

AZL-78495

AZL-79502

CVE-2026-28364

GHSA-J26J-M5XR-G23C

GHSA-M34R-CGQ7-JHFM

OESA-2026-1522

OESA-2026-1523

OESA-2026-1524

OESA-2026-1525

OESA-2026-1526

OPENSUSE-SU-2026:20368-1

OSEC-2026-01

SUSE-SU-2026:0800-1

SUSE-SU-2026:0830-1

Affected Products

Ocaml

CVE-2026-28364

Weakness Enumeration

Related Identifiers

Affected Products

References · 36